Symantec warns about Duqu, a new Stuxnet-style threat

Designed to steal information instead of sabotaging systems, Duqu bears striking similarities to cyber attack on Iran's nuclear program

InfoWorld|Oct 18, 2011

Symantec today warned that a new Stuxnet-like attack dubbed Duqu may be on the horizon, based on file samples the security company received from an undisclosed research lab with "strong international connections." Parts of Duqu are nearly identical to Stuxnet, which infamously wreaked havoc on Iran's nuclear program, though its purpose is far different: It aims to steal information from industrial control systems instead of sabotaging them.

Duqu was either written by the same authors of the Stuxnet source code or by someone with access to that code, according to Symantec. It appears to have been created since the last Stuxnet file was recovered. It derives its name from the prefix to the names of the files it creates, .DQ. The malware's purpose, according to Symantec, is to gather data and assets, such as design documents, from ICS (industrial control system) manufacturers. That information, in turn, could help attackers mount an offensive against an industrial control facility. It's plausible that the hackers behind Duqu are similarly using undetected variants to target other types of organizations, Symantec cautioned.

Duqu itself contains no code related to ICSes; it's primarily a non-self-replicating RAT (remote access Trojan). Using a custom protocol over HTTP and HTTPS, Duqu communicates with a command-and-control server to download executables, such as information-stealing malware capable of recording keystrokes and swiping other sensitive system information for mounting future attacks. The information is logged to a lightly encrypted and compressed local file, which then must be exfiltrated out, according to Symantec. Perhaps to hide its tracks, the command-and-control protocol uploads and downloads what appears to be JPG files as it sends and receives encrypted files for exfiltration.